_out

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .out – never observed with any appended ID, version, or victim code.
  • Renaming Convention:
    <original_filename>.<original_ext>.out
    Example: presentation.pptx.out, CRM_backup.zip.out.
    The double-extension pattern keeps the original file name and original extension as-readable characters, making it easy to identify what was encrypted.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: March – April 2020 waves showed mostly isolated ops, but sustained distribution (via RDP) morphed into larger clusters beginning 02 Sept 2020. The majority of public submissions seen in the wild cluster around October 2020 – October 2021; campaigns have since diminished but never stopped completely.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP brute-force / credential stuffing – by far the leading entry vector. Attackers acquire compromised credentials via dark-web markets or running password spray directly against exposed 3389/TCP.
  2. EternalBlue (MS17-010 SMBv1 exploit) – dropped in coupled post-exploit stage while inside the network (think of “Internal propagate like Wannacry once launched”).
  3. Phishing Office-macro lures – small subset packs the dropper (often named invoice_out_12345.xlsm) that in turn downloads the .out encoder.
  4. Joomla / WordPress plugin vulnerabilities (e.g., 1-day in unpatched File Manager plugins) used to drop Windows-hosted *.NET variant on shared hosting providers and pivot to on-prem servers.
  • Privilege Escalation: Uses SeDebugPrivilege tweaking plus bcdedit /set safebootnetwork to suppress Safe Mode boots.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Disable / restrict port 3389 exposure (RDP) with strict VPN or Zero-Trust gate.
    • Local & GPO–enforced RDP lock-outs (e.g., 3 bad logins = 30-minute lockout).
    • Disable SMBv1 network-wide via Group Policy (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol) and patch every MS17-010 vector without exception.
    • Harden Office macros: block all macros from the internet and enforce “signed macro only” policy.
    • Backups: 3-2-1 rule—three copies, two media types, at least one off-line AND versioned (WORM / immutable buckets).
    • Enforce EDR/AV with behavior rules that alert on “massive file rename + .out extension” (YARA example supplied in tools).
    • Password hygiene: disable reused admin credentials, adopt Microsoft LAPS.

2. Removal

  • Infection Cleanup – In-Order:
  1. Isolate the host(s) from LAN/Wi-Fi immediately (pull cable/netsh advfirewall set allprofiles state on).
  2. Identify running persistence:
    • %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\Usage\*binary* or scheduler task clr_optimizations_v4.0.*.
    • Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run “clr_opt”.
  3. Kill processes: taskkill /F /PID , winlogon.exe disguise check.
  4. Remove binary & respective autorun entries.
  5. Clear Volume Shadow Copies shells: vssadmin delete shadows /all was executed – reset is only possible after removal via:
    • OS reinstall / MBR/EFI restore, or
    • Rollback via Windows Defender System Guard Runtime Attestation if ATP rolled back to a healthy Secure Boot state.

3. File Decryption & Recovery

  • Recovery Feasibility: Possible only through backups – no decryptor exists; cryptography is AES-256 + RSA-2048 (per-file RSA keys generated and sent to server).
  • Essential Tools/Patches:
  • Kaspersky for Business + BitDefender GRZ pattern May-2021 update, Microsoft Defender AV June-2021 definition (build 1.343.273.0+) now triggers “Ransom:Win32/Outcrypt.A”.
  • NinjaRMM / Acronis Universal Restore / Veeam NAS backup restore are the three reported fast-restore stacks used by MSSPs.
  • Optional YARA telemetry:
    yara
    rule ransomware_out_double_ext {
    strings:
    $magic = { 45 4C 46 4B 79 00 }
    $banner = "OUTCRYPT 1.3"
    $outext = ".out" fullword
    condition:
    2 of them and filesize < 2MB
    }

4. Other Critical Information

  • Unique Characteristics:
  • Drops a plaintext file !!!##_DECRYPT_##!!!.hta to Desktop, but also a second-stage in Vendor partition %SYSTEMDRIVE%\Recovery\WindowsRE\WinREAgent to survive image recovery.
  • Heavy abuse of icacls to negate NTFS ACL inheritance, locking administrators out.
  • Kills SQL Server, Exchange, and MySQL services explicitly to reach DB files for encryption.
  • Broader Impact:
    Key mid-tier MSP outbreaks (two in the US, one in AUS) highlighted supply-chain risk; because .out variant can pivot laterally, it encrypted not only on-prem servers but customer-replicated data in cloud file shares that inherited bad NTFS permissions. Average ransom demanded was 0.17 BTC. During Bitcoin’s all-time high (Nov 2021), payments jumped to $9 k–18 k, attracting attention of OFAC sanctions list, adding advisory for “do-not-pay” for certain threat clusters tied to APT-style laundering chains.

Bottom line: make RDP invisible, patch EOL or unknown services, keep backups disconnected or immutable, and file-name double-extension signaling “.out” can provide immediate early-warning if you monitor or quarantine on creation.